#!/bin/bash
#############创建用户组############
echo "Creat a group!"
echo "group name:"
read gname
groupadd $gname
##############创建新用户##############
echo "Creat a user!"
echo "username:"
read name
useradd $name
passwd $name
usermod -G wheel $name
############配置密码策略################
sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS    90/g' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS    0/g' /etc/login.defs
sed -i 's/^PASS_MIN_LEN.*/PASS_MIN_LEN    8/g' /etc/login.defs
sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE    7/g' /etc/login.defs
echo "password    requisite     pam_cracklib.so ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" >> /etc/pam.d/system-auth
sed -i 's/^UMASK.*/UMASK    027/g' /etc/login.defs
############删除出root之外uid为0的用户################
awk -F : '{print $1,$3}' /etc/passwd | while read a b
do
if [ ${b} = 0 ] && [ ${a} != root ]
then
sed -i -e /${a}/s/0/999/ /etc/passwd
userdel $a
fi
done
###############锁定无用账号###############
usermod -L listen
usermod -L gdm
usermod -L webservd
usermod -L nobody
usermod -L nobody4
usermod -L noaccess
#############修改profile############
echo "TMOUT=300" >> /etc/profile
sed -i 's/umask.*/umask   027/g' /etc/profile
#############修改重要文件权限###########
chmod 600 /etc/shadow
chmod 644 /etc/group
chmod 644 /etc/passwd
chmod 775 /var/log/cron
chmod 775 /var/log/secure
chmod 755 /var/log/messages
chmod 775 /var/log/boot.log
chmod 775 /var/log/mail
chmod 775 /var/log/spooler
chmod 775 /var/log/maillog
find /usr/bin/chage /usr/bin/gpasswd /usr/bin/wall /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/write /usr/sbin/usernetctl /usr/sbin/traceroute /bin/mount /bin/umount /bin/ping /sbin/netreport -type f -perm -04000 -o -perm -02000 -type f -xdev 2>/dev/null > /tmp/tmp
while read line
do
chmod 755 $line
done < /tmp/tmp
##########限制root登录##############
echo "auth required pam_securetty.so" >> /etc/pam.d/login
sed -i 's/#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
echo "auth required pam_wheel.so group=wheel" >> /etc/pam.d/su
###############设置ssh登录Banner###########
touch /etc/ssh_banner 
chown bin:bin /etc/ssh_banner 
chmod 644 /etc/ssh_banner 
echo "Authorized only. All activity will be monitored and reported " > /etc/ssh_banner 
echo "Banner /etc/ssh_banner" >> /etc/ssh/sshd_config
echo "Login success. All activity will be monitored and reported " > /etc/motd
##########删除隐藏的危险文件###########
find / -maxdepth 5 -name hosts.equiv 2>/dev/null > /tmp/tmp
find / -maxdepth 5 -name .rhosts 2>/dev/null >> /tmp/tmp
find / -maxdepth 5 -name .netrc 2>/dev/null >> /tmp/tmp
while read line
do
mv $line ${line}.bak
done < /tmp/tmp
##############vsftp配置##############
ftppath=`find / -maxdepth 5 -name vsftpd.conf`
echo "write_enable=YES" >> $ftppath
echo "ls_recurse_enable=YES" >> $ftppath
echo "local_umask=022" >> $ftppath
echo "anon_umask=022" >> $ftppath
echo "ftpd_banner="Authorized users only. All activity will be monitored and reported."" >> $ftppath
ftpuser=`find / -maxdepth 3 -name ftpusers`
echo "root" >> $ftpuser
sed -i 's/anonymous_enable=YES/anonymous_enable=NO/' $ftppath
mv /etc/issue /etc/issue.bak
mv /etc/issue.net /etc/issue.net.bak
############关闭不必要的服务#########
chkconfig kshell off
chkconfig time off
chkconfig ntalk off
chkconfig lpd off
chkconfig sendmail off
chkconfig printer off
chkconfig klogin off
chkconfig nfslock off
chkconfig echo off
chkconfig discard off
chkconfig chargen off
chkconfig bootps off
chkconfig tftp off
chkconfig nfs off
chkconfig ypbind off
chkconfig ident off
chkconfig daytime off
##############配置日志功能#############
mkdir /etc/syslog-ng/
echo "filter f_cron { facility(cron); }; destination cron { file("/var/log/cron"); };log { source(src);filter(f_cron);destination(cron); }; " >> /etc/syslog-ng/syslog-ng.conf
echo "cron.* /var/log/cron" >> /etc/rsyslog.conf
echo "cron.* /var/log/cron" >> /etc/syslog.conf
echo "destination logserver { udp("10.10.10.10" port(514)); };" >> /etc/syslog-ng/syslog-ng.conf
echo "*.* @192.168.0.1" >> /etc/rsyslog.conf
echo "*.* @192.168.0.1" >> /etc/syslog.conf
echo "authpriv.* /var/log/secure" >> /etc/rsyslog.conf
touch /var/log/secure

